Homograph attacks (lookalike characters) in the browser

How it usually happens in the browser

• An attacker registers an internationalized domain name (IDN) using visually similar characters.
• Victims receive a link or search result that appears identical to the real domain.
• The attacker serves a cloned login page or a fake download/support portal.
• Credentials, tokens, or payment details are captured and reused elsewhere.

What traditional defenses miss

• Human URL inspection fails when characters are visually indistinguishable.
• Blocklists may not include every IDN variant of a popular brand.
• Security awareness training rarely covers IDN/punycode nuances in a memorable way.

How isolation changes the game

• Isolation treats unknown destinations as risky by default and keeps active content away from the endpoint.
• Policy can combine domain reputation signals with isolation for “unknown/IDN-heavy” destinations.
• Disposable sessions reduce exposure from follow-on downloads and embedded scripts used in these lures.

Operational checklist

• Force unknown domains into isolation; consider stricter handling for IDN destinations if your environment permits.
• Promote bookmark-based access for critical apps; avoid “type the URL” workflows.
• Use password managers that validate the exact domain before autofill.
• Monitor for lookalike registrations of your brand and major vendors used by your org.
• Train users on the rule: if the login prompt is unexpected, stop and verify via official entry points.

FAQs.